pam-u2f
pam-u2f copied to clipboard
Yubico
Idea: use hmac-secret to hook into the keyrings and open them (like when using pw)
Is your feature request related to a problem?
when logging in with pam_u2f both kdewallet and gnome-keyring pop up and ask for password, as they obviously didnt get one from logging in.
usually when you login and the keyring passwords are the same as your login password the keyrings will just auto-unlock
Describe the solution that you'd like
Ideally a solution that could for example leverage hmac-secret to provide some values to aif in the decryption.
Describe the alternatives that you've considered
I honestly dont know enough about PAM to think of a way how this could work better, unless you go as far and set the keystore password equal to the pin and have the pin redirected to the keyring (which is a bad idea as I expect a PIN to generally be comparatively weak, so bad idea.
The login key ring appear to only support a single password (checked with GNOME keyring through seahorse), which means that we'd have to somehow unwrap the same secret for (the potential case of) multiple enrolled authenticators (e.g. if the user has a primary and backup device).
Additionally, allowing the user to also unlock the login key ring with their ordinary password means that the the value we unwrap would have to be the password itself, bringing even more complexity (e.g. handling password changes) and potential side-effects in the PAM stack. All in all, these factors would make this feature quite complicated and a low priority.
Or is there something I'm missing?
FWIW, there are some related projects unlocking the key ring through other methods, see for example https://github.com/recolic/gnome-keyring-yubikey-unlock which relies on GnuPG.
EDIT: Never mind, I had probably locked my computer and unlocked it with the password at least once while messing around. I just tested it after a fresh reboot and while I don't get asked to unlock the keyring with my password immediately after logging in, it either silently unlocks the keyring when I lock my screen and unlock it with my password, or explicitly asks for the password to unlock the keyring when I do something it needs credentials from the keyring for (e.g. connect to my smartphone through FTP with saved credentials).
My keyring is simply accessible after logging in without a password, only YubiKey U2F. Am I missing something? I'm new to this.
I wanted to create single factor authentication using YubiKey FIDO, with optional fallback to my password.
I added this line to /etc/pam.d/common-auth before the other configuration lines:
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings pinverification=0 cue [cue_prompt=Touch the YubiKey to authenticate]
When I reboot, I'm able to login by touching the YubiKey (my home directory is not encrypted at the OS level, if that matters). When I run Passwords and Keys (/usr/bin/seahorse) it shows my keyring is unlocked.
I'm running Linux Mint 20.3. I compiled libpam-u2f from the source today.
Or is there something I'm missing?
honestly, no idea but seems to be valid arguments, I just knew that the keyring can auto-unlock and that it doesnt with pam-u2f, and just got the idea. I dont have any deep knowledge of the keyrings for KDE, Gmone or otherwise